Step-by-Step Guide to Creating AWS Microsoft AD and Configuring for Single Sign-On

In this blog post I’m going to provide a step-by-step guide to create an AWS Microsoft AD and then configure it to enable access for single sign-on to the AWS Management Console. As part of this I’ll only allow Full Access to Amazon S3 for the Admin user account.

This will then load a new internet browser tab directly in AWS Identity and Access Management (IAM) Roles. Now we need to add some users or groups to an IAM Role to integrate it properly. For the purpose of this I’m just going to grant the Admin user Full Access to Amazon S3 and nothing else.

This will now show that the Admin user within the Microsoft AD is added to the Role.

Testing Single Sign-On to the AWS Management Console

Open a Web Browser.

The URL that we actually need to access specifically for the AWS Management Console is http://corpaccess.awsapps.com/console

Navigate to the Access URL as noted above.

Log in using the Admin User and Password.

Navigate to Compute.

Click on “EC2”.

As you’ll notice that it says “You’re not authorized” against all functions as the Admin user doesn’t have any access rights to EC2.

Return to the AWS Management Console.

Navigate to Storage.

Click on “S3”.

You’ll now notice that you don’t get any errors when you try to create an S3 Bucket as this is what we gave the IAM Role permissions to access.

If we’re looking at combining this with the best practices of Active Directory itself, we should assign the IAM Roles to the Microsoft AD Groups (that are within the Active Directory). We would then add the users within the Active Directory to the groups within Active Directory. This way you can utilise Role Based Access Control (RBAC) for the principal of least privilege.